The Internet is a global public network of interconnected computer networks that utilize a standard set of communication and configuration protocols. It consists of many private, public, business, school, and government networks. Within each of the different networks are numerous host devices such as workstations, servers, cellular phones, portable computer devices, to name a few examples. These host devices are able to connect to devices within their own network or to other devices within different networks through communication devices such as hubs, switches, routers, and firewalls, to list a few examples.
Sometimes attackers will attempt to disrupt network communications. A common type of attack is the denial-of-service attack (DoS). Examples of different types of DoS attacks include Internet Control Message Protocol (ICMP) flood attack, teardrop attacks, peer-peer-attacks, smurf attacks or SYN flooding. Typically, with a denial-of-service attack, an attacker floods a single network or device with huge amounts of traffic. The increased traffic consumes the network's available bandwidth, the computer resources of the victim device, or the communication devices used to transmit the data. By consuming resources, the attack impacts the targeted devices' ability to communicate with legitimate users because the resources are consumed trying to respond to the attack traffic.
One general class of DoS attack is a distributed denial-of-service (DDoS), which also attempts to overwhelm a network or device. The DDoS attack involves creating attack traffic from numerous different devices and/or locations simultaneously. Because the traffic is being generated from numerous sources, often thousands or millions of computers, in different locations around the world it is even more difficult to prevent or mitigate a DDoS attack. The reason is because it is much easier to prevent or mitigate an attack originating from a single device or location than an attack launched from numerous devices in multiple locations. For example, an attacker could be a botnet, which is a collection of infected computers that are controlled remotely and can include many millions of computers around the world, to launch the DDoS attack.
A common type of DoS attack is the SYN flood attack. A SYN flood exploits the TCP connection establishment protocol to consume state on the victim device. During a SYN flood attack an attacker(s) sends a rapid succession of SYN requests (connection establishment requests) to a victim device. Typically, an attacker will send the packets at a high rate while randomly varying the host (or source) address in each packet. This type attack creates the appearance of numerous requests from legitimate hosts and makes it difficult to distinguish legitimate hosts and legitimate requests from attack traffic intended to disrupt the victim network or device. Typically, the victim device attempts to respond to the all the SYN requests. Because the SYN requests are not generated by legitimate hosts, the victim device will waste resources trying to communicate with nonexistent devices. The result is that legitimate users experience difficulty connecting to the victim device due to a lack of resources being available. Additionally, in some scenarios, if the amount traffic is too great, then all the devices in the network may be unavailable and no one will be able to connect to any devices within the network.
To protect against DoS attacks, some networks utilize a protection system installed between the protected network and external networks and the Internet. The protection system distinguishes between requests from legitimate hosts and attack traffic by performing an authentication process for new connection requests to a host device within the protected network.
In one example of authentication, after receiving a TCP SYN packet from an external host device, the protection system extracts the sender's internet protocol address (or IP address) from the TCP SYN packet. The protection system then sends a specific response back to the IP address (also referred to as host or source address) and waits for the external host device to respond with a correct reply.
If the IP address of the external host device is not a legitimate address, then the external device will not respond, or will respond incorrectly to the specific response from the protection system. If the IP address of external host device is legitimate, then the external host device will respond with the correct reply. And, after the host responds with the correct reply, it is added to a whitelist. Once whitelisted, future traffic from that IP address is forwarded without needing to be authenticated again by the protection system.
When authenticating an external device, the protection system ensures that each host address only has a single outstanding authentication attempt to that host address. That is, the protection system will never have multiple authentication attempts for the same IP address of an external host device. The reason is the protection system is designed to operate as transparently as possible, but is still required to intercept and authentic all the new connection requests from external devices attempting to access protected devices. If there are multiple outstanding connections from the same IP address, it can be difficult for the protection system to correctly match each communication between the protection system and external host device to ensure that the authentication protocols have been followed.
Another reason to limit the authentication requests from each external device is to prevent the protection system from being used to launch an attack against a third party host by inundating the third party with responses from authentication attempts originating from the protection system (known as a reflected attack). In a reflected attack, an attacker would send a series of connection requests with a spoofed source IP address to a protected device within a protected network. The spoofed source IP address would actually be an IP address of an innocent third party device (or victim device). In response to the authentication requests, the protection system would send responses as part of the authentication process to the innocent third party device. The innocent third party is then flooded with traffic generated by the protection system. Limiting multiple outstanding connections will prevent the protection system from being used to launch a reflected denial-of-service attack.
The protection system tracks each host device trying to access the protected network with a host table. The host table is a data structure within the memory of the protection system that stores IP addresses of external devices attempting to connect to the protected network. The host table is allocated a fixed amount of memory for storing the IP addresses and is split into two groups: a group of pending (or unauthenticated) hosts and a group of whitelisted (authenticated) hosts. To limit the number of authentication attempts and prevent the protection system from being overwhelmed, the number of pending entries is limited. Limiting pending entries prevents pending entries from evicting whitelisted entries from the host table of the protection system.